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I. INTRODUCTION 



Recognizing me relailonsnip between policies and 
mecdanisms nas been a problem in ttie specification and 
design of many computer systems. Wnat is needed is a simple 
methodology for assessing the suitability of a protection 
mechanism to enforce a non-di screti onary security policy. 
Such a methodology, based upon the enti ty-relat ionshlp model 
and designed with validation of security enforcement as its 
primary objective, is presented. 

Defined as the assignment technique, this mathematically 
oriented methodology establishes a relationship between the 
information sensitivities of the systems entities 
(partitioned according to tne policy constraints), to 
dominance domains (inherently established by a mechanism). 
The assignment technique provides a means for mechanism 
sufficiency validation, since the results of tne assignment 
can be evaluated to determine whether tne constraints of tne 
policy are met. 

Mechanisms are defined as procedural specifications that 
prevent the occurrence of operations. Protection mechanisms, 
then control a subject's access to an object, by adhering to 
some procedural specification of access rules. Policies, 
however, are generally stated in a non-procedural form. This 
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leads to a problem in translating policies into mecnanisms, 
and in verifying tde accuracy of tdis translation. 

Only non-discretionary security policies are discussed 
in detail. Such policies, however, are extremely important 
When dealing with protection of business information as well 
as National Security. Computer systems designed to provide 
Command, Control and Communications must rely upon effective 
non-discretionary security if they are to be of any value to 
National Defense [ij . Compromise and subversion policies [2J 
precisely define the requirements, but the suitability of a 
protection mechanism to meet these requirements is not 
always apparent. A theoretical foundation from which this 
suitability may be simply and readily derived is 
established. 



A. BACKGROCND 

Non-discretionary policies for tne security of sensitive 
information have existed throughout tne annals of history. 
The basis of these policies lies in a subject (i.e., an 
active entity) bein^r prohibited modification or observation 
of an object (i.e., a repository for information or inactive 
entity) based upon the subject's membership in a specified 
eroup. This erouping is established external to tne system 
in which it will be used. 

The first computer systems dealt with the problem of 
security by establishing physical protection perimeters. 



9 



Walls, locKs and marines wiib rifles provided tne 
environment necessary for system security. Tnls was an 
acceptable procedure because there were relatively few users 
of the system and each user was trusted not to violate tne 
security policies. Security was an issue external to tne 
computer itself. 

However, as computer technology became more 
sophisticated, user expectations increased. Policy-maicers 
established security policies and expected their machines to 
adhere to them without exception. The security perimeters 
that had been established external to tne computer, were now 
to be established internally. 

This led to two fields of research. One group, tne 
experimentalists, attempted to design ingeniously contrived 
mechanisms with little or no concern for tne policies which 
their mechanism would support. Mathematicians, on the other 
hand, set about tne tasfc of modeling policies in a fashion 
that would establish a foundation for the procedural 
specification of protection mechanisms. The relationship 
between these models and the mechanisms was not always 
clear. 

What is needed, and what is presented nere, is a simple, 
complete and consistent means of establishing that a 
mechanism actually enforces the policy-maicers' 
specifications. This is done by first giving the 
policy-mater a tool to precisely describe nls policy and 
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technique 



then giving tne systems designers and analysts a 
to evaluate the sufficiency of tneir mechanism to support 
this policy. 

A careful examination of the fundamental nature of 
non-discreli onary security policies and protection 
mechanisms is made. This examination is based largely upon 
the findines of research associated with security kernel 
technology [3J , The results of this examination snow wnat it 
is about mechanisms that actually provides the protection 
and what protection is actually provided. In so doin^, a 
theoretical mathematical foundation is established from 
which the science of secure computation may proceed to meet 
the requirements of tne policy-maicer in a simple, elegant 
and efficient manner. 

B. RELATED WORK 

Research in establishing the suitability of protection 
mechanisms to meet non-discretionary security policies is 
practically non-existent. Protection mechanisms are usually 
presented in an informal manner with implementation details 
dominating the discussion [4j . Policies, on the other hand, 
are generated by persons wno rarely give consideration to 
the implementation of these policies in a computer system. 
Tne disparity between these two groups has led to little 
research in methodologies for bridging the broad gap between 
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security policies and protection mecnanisiT'S , and even less 
results. 

The notion of aomalns originated witn Dennis and Van 
Horn [5J and tneir concept of spneres of protection. Tnis 
idea was improved upon by Lampson [6,7J wno coined the term 
"domain” and noted tne usefulness of domains as a conceptual 
tool for understanding protection mechanisms. Scnroeder [SJ 
made use of these ideas to design a protection mechanism 
that would allow mutually suspicious subsystems to cooperate 
in a single computation. 

Popes [9J modeled tne nature of access control witn ni s 
restriction eraphs. Bell and LaPadula [10] made a 
significant contribution when they identified a mathematical 
frameworfc within which to deal with the problems of secure 
computer systems. Tneir wort was based upon general systems 
theory and finite state automata. FurteS [llj established a 
similar, less Snown, mathematical framewors based upon tne 
theory of constraints. The Bell and LaPaauia work was 
followed by Walters [12J development of a lattice model for 
security policies. This model was refined and later 
popularized by Dennins [13] such that today, nearly all 
practical policies nave been recognized as lattice policies. 

Saltzer and Schroeder [14] presented a tutorial on the 
basic principles of protection in computer systems. Conen 
[15], however, provides a far more rieorous discussion of 
protection mechanisms wnile Gronns' [16] research provides 
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considerable insight into a number of details regarding 



access re 


lati 


ons . 










Mucn 


of 


this 


early 


wort was 


directed 


towards tne 


solution 


of 


the 


computer 


securi ty 


problem 


in National 



Defense [12,17] . As sucn, tne authors rarely dlscused tne 
motivation for their efforts. It was Schell [Ij , however, 
who dramatically described tne importance of tne computer 
security in a modern electronic environment. Recognition of 
tne significance of this problem motivated tne research 
reported here. 



C. ORGANIZATION 

The relationship between security policies and 
protection mechanisms is not obvious. In order to explore 
this relationship, one must clarify the meaning of security 
and protection. Only by methodically examining each and 
every pertinent principle can one nope to establish a 
mathematical framework which unifies the security policy 
issues with the protection mecnanisms' design. 

The nature of non-discretionary security policies is 
considered first. The meaning of access relations is 
explored and commonly tnown policies are discussed. 

Next, a formalized notion of domains is presented. A 
succinct mathematical definition of a domain is offered. The 
notion of an (access-mode) domain and dominance domains are 
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introduced as tools for precisely cnaracterizing protection 
mechanl sms . 

Section four discusses tne tneoretical basis for 
assignment. The assignment tecnnique is explained and a 
means for simplifying tne tne number of assignment scnemes 
needed to establish the insufficiency of a mechanism to 
support some particular policy is derived. 

Section five presents detailed applications of simple 
assignment showin? the usefulness of the assignment 
technique particularly witn respect to mechanism sufficiency 
validation. Section five dispells much of the mystery that 
surrounds tne ad hoc design of secure computer systems. 

Every attempt has been made to provide the reader with a 
clear understand! ns of the principles of the assignment 
technique. Readers are encouraged to question these findings 
and indeed, the fundamentals upon which they are based. Only 



in so doing, can one 


nope 


to grasp the 


meaning of the 


principles 


presented and 


the 


utility of 


the assignment 


technique 


in establishl 


ng a 


foundation for 


secure computer 



systems . 
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II. non-discretionary security policies 



TQis section provides a detailed examination as to tne 
nature of non-discretionary security policies after first 
discussing several pertinent concepts concerning policies in 
general. Some of tne Issues presented may appear to confuse 
policy Issues wltn mecnanism issues. Hopefully, tnis 
confusion will be resolved as tne reader obtains a tnorougn 
understanding of tne innerently isomorpnic nature of 
policies and mechanisms, as substantiated in tne ensuing 
discussion. 

A. THE NATURE OF A POLICY 

The fundamental nature of a policy has not been clearly 
established in tne Computer Science field. For example, 
Wulf, Cohen, Jones and others suerffest that a policy is a 
mecnanism when discussing HYDRA [18j . Jones subsequently 
discusses how protection mechanisms can be used to enforce 
security policies [19J . On tne otner nand , Conen defines a 
policy as a problem in his doctoral dissertation [15] but, 
enumerates several protection problems associated with one 
security policy [15J . Such confusion among such a closely 
related eroup of computer scientists specializing in 
operating system security is by no means an isolated 
sltua tion. 
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Snyder [20 J mates note of mis problem siailng mat 
capability-based protection systems designers rarely 
consider tbe security policies ttielr system may implement. 
Throughout the computer security literature, one may observe 
that the nature of a policy and how it relates to the 
protection issues discussed, is often ignored. Pernaps this 
is because the nature of security policies themselves, and 
the suitability of protection mechanisms to meet these 
policies is not clearly understood. It is the intent of this 
autnor to address this problem. In order to do so, one 
begins by formalizing tne notion of a policy. 

A policy is a specification of behavior. Sucn a 
specification constrains the activities within a system by 
establishing a distinction between acceptable and 
unacceptable behavior for some set of classes established by 
the policy, iifhen dealing with the security issue, the 
classes (i.e., access classes) are simply labels wnicn tne 
policy uses to distinguish between groups of system 
entities. So a security policy specifies a set of access 
classes and identifies tne acceptable behavior between them. 

Enforcement of policies may be realized in a number of 
ways. In general, any means of security enforcement internal 
to tne computer, may be considered to be a protection 
mechanism. As such, implementation details are generally 
ignored. 



16 



Tne term benavior generally implies mat an active 
entity is dealing witn some otner entity or entities. So one 
can distinguisti between two types of entities witn respect 
to security policy specifications. One type is tnose 
entities wnose benavior is being controlled. Tnese are tne 
active entities within tne system and are referred to as 
"subjects". The otner type is tnose witn wnicn tne subject 
interacts during execution that are not subjects, but rather 
are simply repositories of information [12j . These are tne 
passive entities within the system referred to as "objects". 

A process is characterized by an address space and an 
execution point or state of its virtual processor. It is 
Important to note tne distinction between processes and 
subjects as these two terms are often incorrectly considered 
to be synonyomous. A subject is implemented as a 
process-domain pair [6,7,8]. One must tafce care not to 
confuse tnese two terms. 

Much confusion has been associated with the issue of 
policy enforcement. A policy may be completely enforced in a 
system, partially enforced in a system or not enforced at 
all. Partial enforcement applies only to complex policies 
for which sub-policies can be formulated and enforced. 
Partial enforcement does not imply enforcement of a policy 
only under certain conditions, or at certain times, wnicn 
is, in fact, no enforcement at all. Partial enforcement 
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refers to enforcement of a sub-poiicy wiinin tne context of 
the overall policy. 

Policies are not problems [15J . Problems occur only in 
the Implementation of a policy and are used to describe 
pitfalls in tne enforcement of some policy of interest. 

Applying some policy to a system mates no chanaes to 
that system at tne time of application. Tnis means tnat 
policies do not initially alter the entities with whi^n they 
deal. Rather, entities are assigned to an access class 
accordin? to the policy. If an entity is assigned to an 
access class sucn tnat its attributes require modification, 
or its relationships are invalid, or the entity itself does 
not belong within tne system, tne system is not in 
compliance with the policy. Action may be taicen later to 
bring tne system into compliance, but simply associating tne 
policy with tne system, in effect, only labels tne system 
entities. 

Recognizing tne nature of a policy is important if one 
is interested in enforcement of policies in computer 
systems. This is because tne logical nature of a computing 
device dictates a logical specification of policy. Having 
clearly described tne nature of a policy in general, one may 
now examine security policies. 



I 
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B. SECUHITT POLICIES 



Security policies are generally grouped into two broad 
classes. Non-discretionary security policies (sometimes 
referred to as mandatory policies), are policies wMcti fix 
tne classification of information sensitivities and 
establisn all permissible access relations (viz., subjects 
gaining some form of access to objects) according to tnese 
information sensitivities. Sucn a policy is generally 
considered to externally constrain wnat access is 

permissible [3J. Enforcement of a policy requires ttiat tne 
sensitivity of all objects and tne autnorl zat ions of all 
subjects be clearly identified. 

Discretionary policies, in a sense, provide a finer 
granularity of access control wltnin tne constraints of tne 
non-discretionary policies of the system [3j . Authorization 
to access information and specification of source 

information access classes are made outside of the computer 
environment. A policy is discretionary wnen a subject with 
access to an object may exercise its discretion in maicing 
that object available to some otner subject. As sucn, tne 

information sensitivity of an object is decided in a 

discretionary or arbitrary manner. This tends to produce 
"spaghetti bowl" policies where tne information 

sensitivities of objects is not easy to determine. The 

sensitivity of objects is constantly changing in an 
arbitrary manner which may not be readily observable or 
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controiiabie. Sucn policies are not practical wnen dealing 
witn many of tne National Defense issues. Because of their 
limited utility, discretionary policies are not as 
interestin? as non-discretionary policies nor is tneir 
enforcement sucn a critical issue. 

Only non-discretionary security policies are examined in 
tnis discussion. It is snown tnat all non-discretionary 
security policies can be represented as lattice security 
policies. 

C. LATTICE SECORITY POLICIES 

A number of non-discretionary security policies nave 

already been described as lattice policies [12,21J. As sucn, 

the precise form of tne lattice structure is helpful in 

understanding tne nature of tne policy [19J . 

A universally bounded lattice is a mathematical 

structure consisting of a finite, partially ordered set for 

which there exists precisely one least common upper element 

(i.e,, tne least upper bound (LUB)) and precisely one 

greatest common lower element (i.e., tne greatest lower 

bound (OLB)) [22,23j . A partially ordered set, is a set, 0, 

for which a relation, R, is applied to Q sucn that R is 

reflexive, antisymmetric and transitive [22j . For example, 

consider the set Q = I q,, q q , q } and the relation R 

12 3 4 

applied to 0 sucn tnat related to q^ by 

relation R), q Rq , q Rq , q Rq , and q Rq . The relation R 
1 3 1 4 2 4 3 4 
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foms a lattice on tne set Q witn q as tne GLJ3 and q as 

1 4 

the LJB. 

When discussing lattice security policies, one 
recognizes tne set 0 as the set of access classes 
established by the policy. The access relation R, however, 
may vary significantly from policy to policy. This fact is 
not so well recognized. Dennings information flow model 
[13J , for example, describes a flow relation, defined 

on pairs of access classes such that for classes A and £, A 
— ^ B if and only if information in class A is permitted to 

flow into class B. This relation applies to compromise and 

subversion policies, for example, but is meaningless when 
discussing proeram integrity. 

Three relations between access classes are generally 
sufficient to describe the specifications of any 

non-di screti onary security policy. For access classes A and 
B, these are : 

A > B Information of access class A 
is more sensitive than 
information of access class B 

A = B Information of access class A 
is of the same sensitivity as 
information of access class B 

A # B Information of access class A 
is in no way related to 
information of access class B 

The notion of sensitivity may be easily confused when 
discussing several policies. This is because tne term taues 
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its meaning from the policy in question and cannot be 
readily associated witn two diverse policies. For example, 
an object 0 may be > a subject S witn respect to one policy, 
# witn respect to anotner policy, and S > 0 witn respect to 
still anotner policy. Sensitivity, then, may not be useful 
for discussing multiple policy issues. It is nowever, a 
useful intuitive term for describing tne lattice nature of a 
poli cy . 

This author advances the hypothesis that all 
non-discreti onary security policies may be represented as 
lattice policies. A simple argument is offered in support of 
this hypothesis as a complete proof has not been developed. 

Non-di scretionary security policies are established 
external to tne computer system environment. As sucn, they 
define some form of benavior between subjects and objects 
from which the system may not deviate without external 
authoritative approval. The system entities (i.e.. the 
subjects and objects) must be clearly labeled or otherwise 
identified witn respect to the policy. Grouping those system 



enti ties 


whose labels 


are 


identical, one 


may 


establish a 


se t 


of equivalence classes 


whi ch 


complete 


ly 


partition 


the 


systems' 


entities . 


One 


may 


tnint of 


these equivalence 


classes 


as labeled 


by 


the 


access 


classes. Such 


a 



partitioning, for all practical policies and systems is 
finite. 
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One :nay then examine the relations between access 
classes with respect to the policies. Enumeratinie all tne 
relations between access classes, one may draw a .eraph, such 
as that Shown in figure l, with nodes signifying access 
classes and arcs signifying that the access class of the 
hiffher node (i.e.. closer to the top of the page) is more 
sensitive (>) than tne access class of tne lower node. 
Transitive relations need not be drawn as their inclusion is 
implicit and does not affect tne graph. 



Figure 1. Disjoint Partially Ordered Sets and Nodes 

If any cycles are discovered, in an attempt to construct 
tne graph, one may see that tne specification of policy is 
not enforceable. That is to say, for some cycle of access 
classes A>B> ...>Z>A, the information sensitivity of 
some access class A is at the same time > A and = A. This is 
a paradox. Attempting to enforce such a specification is 
intuitively nonsense! So if one is to have a 
non-discreti onary security policy, viz., one which is to be 
enforced in a mandatory fashion, one may safely assume that 
the policy will specify no cyclic relations among tne access 



0 



0 
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classes. Taerefore, one may categorically state tnat tne 
graph of any enforceable non-discre ti onary security policy 
will never contain any cycles. 

Further examining tne graph, one can observe that only 
two general structures may exist. The first consists of 
unrelated nodes (i.e., those nodes wnlch are singletons 
representing access classes with no relations to other 
access classes in the graph). The other structures are 
partially ordered sets (some of which may be a lattice). 




Figure 2. Lattice Structure 

If tne grapn does not contain a least upper bound, 
(LOB), one may arbitrarily create an access class so 
designated and establish tne appropriate relations with 
respect to its sensitivity (see figure 2). This access class 
may also be referred to as tne "system nlgn." Likewise, one 
may do the same for the greatest lower bound (GLB) which is 
generally Known as tne "system low." Note tnat, neither tne 
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LUB nor tie SLB nesd nave any entities associated with ttieir 
access class. By forming tnis structure, one has established 
a lattice. 

Thus, all non-discretionary security policies are 
lattice security policies. Non-discretionary security 
specifications tnat venerate cyclic structures are not well 
forTied policies and as such, tneir enforcenent cannot be 
evaluated nor can one consider such a specification to be a 
policy worthy of discussion. 

D. SIMPLE LATTICE SECORITT POLICIES 

A policy is a "simple lattice policy" when the policy 
establishes either one of two basic lattice structures. The 
first structure is formed by a simply ordered (viz., 
linearly ordered or totally ordered) set of access classes. 
For example, some policy might establish a simply ordered 
structure where SECRET is more sensitive than {>) 
CONFIDENTIAL > UNCLASSIFIED. Policies with simply ordered 
sets of access classes are called "hierarchical policies." 

The other basic lattice structure is formed by a 
mutually exclusive set of access classes. For example, some 
policy might establish a mutually exclusive structure where 
CRYPTO is not related to (») NATO # NUCLEAR. Those policies 
with mutually exclusive sets are called "category policies." 
One should note that, a "compartment" access class, e.e., 
CRYPTO-NATO, is formed when some restricted form of access 
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Is available to two or more otnerwlse mutually exclusive 



categories of information. 

Recall ttiat a lattice security policy partitions tne 
systems entities witn respect to ttieir information sensitiv- 
ities, into a set of equivalence classes tnat can be labeled 
by tne access classes. Consider any two lattice security 
policies, and and some system containing a non-empty 

set of entities, A. tfnen P^ is applied to tne system, 
a partition, is establisned creatine tfte set of 

equivalence classes, { e . e^ , . . . , e , . . . , e >. Applying 

12 i n 

P2 to this system so partitioned, refines the system 
producing a unique partitioning tt. tt tnen, is simply tne 
product of the partition induced by P^ and the 

partition induced by P2 . So for each e^, an equivalence 
class created by P^^, a new set of equivalence classes. 



{ e 



e., , e. is produced. Tne partition 



11’ 12 ' ■ ■ ' in 

TT forms a lattice, viz., tnat induced by the composite 
policy P. 



It readily follows that all lattice security policies 
are the product of one or more simple lattice policies. The 
total non-discre tionary security paclcage for a system then, 
consists of some set of simple lattice security policies 
successively refining the systems entities, none of which 
may produce conflicting policies. This is shown to be 
particularly useful knowledge when one attempts to use the 
assignment technique as a means of security validation. 
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E. ACCESS RELATIONS 

Any specific non-discretionary security policy will 
distinguisn one or more distinct access relations between 
subjects and objects. Associated witn tnese distinctions one 
may derive, wnere not otnerwise specified, tne set of 
"access rignts” wnicn may be accorded to tne subject. Tnese 
access rignts specify tne liberties wnicn tne subjects may 
tate witn respect to tnese objects. Access rignts are 
typically mirrored in the "access modes” of tne 
corresponding protection mechanism. Althouffh there exists a 
fine difference between an "access right” and an "access 
mode", viz,, "access rights” are associated with security 
policies and "access modes" are associated witn tne 



protection 


mechanisms 


Which 


enforce 


tne policy, 


tnl s 


discussion 


frequent ly 


refers 


to an 


"access right" 


as an 



"access mode" because it is tne access mode which must 
inevitably be questioned when evaluatine the enforcement of 
a security policy. 

The enforcement of a policy is fundamentally limited by 
tne system's granularity of access wnicn may also be tnougnt 
of as the system's variety or richness of access modes. 
Policies tnat prescribe distinctions not recognized by tne 
access control mechanisms must be enforced in an overly 
restrictive manner or ignored. For example, a policy 
addressing a concatenation access relation cannot be 
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precisely enforcel on a system that does not recognize some 
form of append access mode. 

The basis of all security enforcement evaluation lies in 
the acceptability of an access relation. An access relation 
is defined as a tuple (subject, access mode, object). This 
tuple signifies that a relation between tne subject and 
object exist such that the subject is permitted to access 
the object with all the privileges associated with the 
access mode. The problem of information security may 
generally be expressed as the problem of permitting the 
existence of only those access relations that in no way 
violate any of the applicable systems policies. 

One can see then, that the granularity of access control 
within a system is dependent upon the ability to distinguish 
attributes of subjects and objects plus tne distinct access 
modes available. The primitive access modes (i.e., those 
access modes tnat are not decomposable by the system) 
associated with the design of the system, including the 
protection mechanisms, designate tne associated rights 
accorded to an access request. 

When tne granularity of access is successively refined, 
one may observe two conflicting phenomena. First, the 
ability to distinguish between access relations is more 
pronounced, thus allowing for greater sophistication and 
variety in policy formulation. The problem, however, is that 
the increased distinctions of access relations increases tae 
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complexity of tfte security evaluation process. Systems 
designers are faced witn tne problem of striding a balance 



between the 


granularity of 


access and 


the 


complexity of 


system security validation. 








This nas 


not deterred 


tne efforts 


of 


many systems 


designers , 


however, as tne 


granularity 


of 


subjects and 



objects is quite refined in many systems. Unfortunately, 
sucn systems, almost witnout exception, nave failed to 
enforce even minimal non-discretionary security policies. 

Two generic access modes are particularly useful in tne 
discussion of security. Tnese are [l6j "observe" (the 
ability to observe information) and "modify" (tne ability to 
modify information). Other access modes may be generally 
thought of as a finer granularity of tnese two access modes. 
Figure 3 illustrates one sucn possible set of primitive 
access modes and now they are associated with the generic 
access modes. 




Figure 3. Generic Access Modes 

The problem of computer security enforcement can be 
reduced to the problem of limiting the access relations 
within the system to only those that neither directly nor 
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indirectly violate the systems security policies. If one can 
establish that all of the access relations permitted in tne 
system are acceptable to the policy, one has established 
that the system is "secure." 

F. ILLUSTRATION OF POLICIES 

In reviewing tne computer science literature, this 
author was unable to discover any illustration forms 
appropriate for showin? the features of non-discretionary 
security policies in sufficient detail that one could 
readily discern all permissible access relations within the 
system simply by examining tne illustration alone. This 
section presents a review of the major forms examined and 
their failure to adequately illustrate access relations. It 
also provides two proposed alternative forms that more 
clearly illustrate access relations of a system in a manner 
which leaves no doubt as to the nature of the policy and the 
requirements for its enforcement. 



LUB 




Figure 4. Basic Lattice Form 

Fiffure 4 shows a representation for a lattice structure 
commonly found in mathematical texts [22,23j . With respect 
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to lattice security policies, eacu node represents an access 
class and tPe arcs signify tnat tne node nearer the top of 
tne page represents an access class which is more sensitive 
than the lower nodes' access class. Thus, in figure 4 one 
may observe that A. > D and B ff A, Sometimes these arcs are 
labeled by ”>” symbols, but this merely tends to clutter the 
illustration and provides no additional information. Note 
that this form provides no information reffardine access 
relations without some examination of tne policy that is 
being illustrated, e.g., one cannot readily answer the 
question "can a subject of access class A write to an object 
of access class D?" 

The form shown in figure 5 , provides basically 
tne same information. This form illustrates tne permissible 
information flow that is immediate and non-reflexive by 
means of directed arcs. Nodes are once again used to 
represent access classes. Access relations are still 
non-di s cerni bie by examination of the illustration alone. 




Figure 5. Information Flow Form 
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Another form which is popular in capahil i ty-based 
protection systems researcn [24j , illustrated in figure 6, 
is called a protection graph [20J . These graphs specify each 
subject as a solid node, "•**, and each object as an empty 
node, ”o’*. Tne directed arcs between nodes specify the 
access rishts of the source by the associated labels. This 
form provides an extremely detailed means of representing 
all access relations within the system. Unfortunately, this 
form provides such detail that an illustration of any 
practical system becomes eiceedinsly busy. Thus one quicKly 
loses the ability to distinguish between access classes even 
when they are clearly labeled. Vhat is needed is needed is a 
nigner order of abstraction for tne presentation of 
practical systems. 
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Figure 7 represents tne first illustration forn proposed 
by tnis autnor called au "access relation grapn" . In tnis 
form, eacn node represents an access class as specified by 
tne policy. All non-reflexive immediate access relations 
[13] between access classes (except tnose tnat may be 
establisned by forming a transitive closure over some given 
access mode(s)) are grouped by access mode and shown as 
directed arcs labeled by the associated access mode(s). This 
form solves the problem of the protection graph for 
non-discreti onary security policy representation by 
providing tne minimum information necessary for one to fully 
erasp all the security implications of the policy from a 
single illustration. 




Figure 7. Access Relation Graph 
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An access relation ,?rapn clearly snows ail permissible 
access relations specified by a non-discret ionary security 
policy. Reflexive relations, i.e., tnose witn a subject of 
the same access class as the object, need never be 
specifically cited unless all access modes are not permitted 
witnin an access class. Antisymmetric relations are clearly 
defined by the directed arcs. Transitive relations are 
inferred from the patn of two or more antisymmetric 
relations (viz., in figure 7 a subject of the LUB access 
class may read from an object of the 5LB access class). 
Therefore, the form meets the mathematical requirements for 
a lattice in that, all access relations for the lattice 
(i.e., a universally bounded partially ordered set) are 
clearly illustrated. 

In its most delineated case, the access relation graph 
is reduced to a protection eraph. The advantage of the 
access relation grapn over tne protection graph is 
simplicity. Only tne access relations needed to represent 
tne policy are shown. Additionally, complex policies and 
composite policies are illustrated in one simplified form. 

Another illustration form tnat is particularly useful 
when discussing uniform lattice structures (i.e., tnose 
access relation graphs wnere tne access modes between any 
two antisymmetric access classes are identical) is tne 
linear access sraph. Such a eraph shows tne security 
label(s) of the objects (i.e., now one represents the 
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sensitivity of the object) and denotes the access modes 
available to subjects of varying sensitivity with respect to 
the sensitivity of the objects. Figure 9(A) illustrates a 
simple general linear access grapn. In tnis figure, subjects 
with greater sensitivity than the objects sensitivity would 
enjoy the use of access mode(s) 2 when referencing that 
object. Subjects of inferior sensitivity than the objects 
sensitivity would enjoy the use of access mode(s) 1 when 
referencing that object. Subjects of the same sensitivity as 
the object would enjoy access modes 1 and 2 when referencing 
the object. The linear access grapn for tne Multics Ring 
Brackets, first pointed out to the author by R. Schell, is 
shown as an example of a familiar policy represented in this 
form in figure 8(B) , 

access mode (s ) 1 

System (security System | 

{ High Label j Low 

access mode(s) 2 

(A) 

execute ^ 

I [Ring 0 R2 ‘ I R2 j 

I write 1 call as a gate 

read 



(B) 

Figure B. Linear Access Graphs 
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Tiie di salvantage of tne linear access grapn is tnat it 
may only be used for illustration of uniform policies, i.e., 
tnose policies wnere tne access relations between any two 
access classes (one of wnicn is more sensitive than the 
otner) are identical. Tne succinct nature of tnis form, 
however, mates it possible to capture the essence of a class 
of policies, i.e., those which may be described by the same 
linear access graph, without going into ail the details. 

G. EXAMPLE POLICIES 

Having discussed the nature of policies in general, one 
is now prepared to examine several specific policies of 
interest. Such a discussion logically begins with tne two 
broadest classes of security policies, i.e., compromise and 
subversion . 

Modify 

Upper (Sensitivi ty Lower { 

1 Limits Label { Limits 

0 bserve 

Figure 9. Compromise Policy. 

A compromise policy, sometimes referred to simply as a 
security policy, is one wnose primary intent is to pronibit 
the unauthorized observation of information. Figure 9 show 
the general form of such a policy. Subjects may observe only 
those objects whose sensitivity is less than or equal to tne 
subject's sensitivity in order to prevent direct observation 



36 



of an object by an unautnorized subject, viz., tne Simple 
Security Condition [10J . In order to prevent indirect 
observation of objects by unautnorized subjects, a 

sufficient but not necessary condition establisbes that 
modification of objects must at least be limited to tnose 
subjects whose sensitivity is less than or equal to the 
objects sensitivity, viz., tne (Security) Confinement 
Property — also icnown by a less descriptive title as the 
’"-Property [10] . 

A subversion policy, sometimes referred to simply as an 
integrity policy, is the dual of a compromise policy. The 
primary interest of a subversion policy is to prohibit the 
unauthorized modification of information. Fisrure 10 

Illustrates these general characteristics. Subjects may 

modify only those objects whose sensitivity is less than or 
equal to tne subject's sensitivity in order to prevent 
direct modification of an object by an unautnorized subject, 
viz,, tne Simple Integrity Condition [HlJ . In order to 

prevent indirect modification of objects by unauthorized 
subjects, a sufficient but not necessary condition is that 
observation of objects must be limited to tnose subjects 
whose sensitivity is less than or equal to the object's 
sensitivity, viz., the Integrity Confinement Property [21j . 
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Modify 



[sensi ti vi ty 
Label | 



Observe 



Upper 
Liml IS 



Lower | 
Limits 



Figure 10. Subversion Policy. 

Tne importance of subversion policies snouid not be 
underestimated [2,21]. Chan^in? the course of an ICBM, for 
example, should in most cases require a more sensitive 
authorization than simply inowing its course. Sucn policies, 
nowever, are often overloolced in many Command, Control, and 
Communications systems [2] . 

Another general class of policies that is of general 
interest in Security Kernel research, and whose title was 
coined during tne course of this research effort by R. 
Schell, are the "Program Integrity” policies [4J . The notion 
of program integrity stems from the desire to prohibit 
unauthorized modification of executable programs hy less 
trustworthy subjects. In the general case, one wishes to 
ensure that the more sensitive programs are "tamperproof." 
In other words, one wants to be sure tnat tne program can be 
"trusted” to perform as specified and can not be "tricAed” 
by merely reading lata of lower sensitivity or "importance." 
For example, a system designer/programmer may wish to insure 
that his programs always perform as specified in both his 
test environment and in any application environment. UnliHe 
a strict integrity policy [21J , program integrity is not 
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concerned witn tne issue of general observation of 
inf omiation. Program integrity is tnerefore less 
conservative (and tnus more ”risty") tnan Eibas integrity 
policy. Program integrity deals only with execution and 
modification of information. As sucn, figure 11 illustrates 
the general form of a program integrity policy. 



Execute 

Upper ) Sensi ti vi ty Lower 1 

i Liml ts Label 1 Limits 

Modify 



Figure 11. Program Integrity Policy. 



One may guarantee that no direct modification of a 
program by an unauthorized subject (i.e., a direct threat^ 
is possible by enforcement of the following condition : 



Slmpj,e Program Integrity Condition : If a subject 
has modify access to an object, then tne program 
integrity of the subject is greater than or equal 
to tne program Integrity of tne object. 



Because program integrity 
the execution issue (versus tne 



policies are concerned with 
observation issue [31j ) , 



indirect modification of information is not strictly 
prohibited. This provides a certain degree of flexibility. 



but also produces a certain amount of ristt [19j . Confinement 



of execution reduces the risJc of such an indirect threat but 



does not eliminate it. A more sensitive subject must be 
trusted not to modify a less sensitive object either 
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intentionally or otnerwise. An indirect tnreat occurs wnen a 
subject executes a program that has been modified by a less 
trustworthy subject, therefore, one wishes to cohfine the 
executioh access relations. The confinement property for 
program integrity is defined as follows : 



Program Integrity Confinement Pronertv : If a 
subject has execute access to an object, then tne 
program integrity of the object is greater than or 
equal to the program integrity of the subject. 



The remainder of the section discusses three poll 
general interest to federal ADP users. Any computer 
designed for use by the federal government, shou 
minimum, consider its ability to enforce these polici 



1 . National Security Policy 



The 


National Security Policy 


classifies inf 


essential 


to tne 


Natio 


nai Defense 


or foreign rela 


the United 


States . 


The 


President 


of tne United 


esta bli sned 


this 


policy 


in Execu 


tive Order Numb 


dated June 


26, 1978 


125] . 


This order 


defines three 1 



classification as follows : 



cies of 
system 
Id as a 
es . 

rma tion 
ions of 
States 
r 12065 
vels of 



TOP SECRET : That information or material the 
unauthorized disclosure of wnicn could reasonably 
be expected to cause exceptionally grave damage to 
the national security. 

SECRET : Tnat information or material tne 
unauthorized disclosure of which could reasonably 
be expected to cause serious damage to the 
national security. 
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CONFIDENTIAL ; That information or material the 
unautnorizel lisciosure of wnicn could reasonably 
be expected to cause damage to the national 
security. 

Implicit in this set of definitions, tnere also 
exists a classification of information wnicn is not 
classified. Tnerefore, one nas four nierarcnical access 
classes established by this policy, the intent of which is 
to prevent unauthorized disclosure (viz., observation) of 
information so classified. Figure 12 shows the access 
relation graph for this compromise policy which is referred 
to as the basic National Security Policy. 

Executive Order 12065 also establishes [25J the 
authority to originally classify new information. 
Information may be classified Top Secret only by officials 
designated in writing. Information may be classified Secret 
only by officials who nave Top Secret classifications or by 
officials designated in writing. Information may be 
classified Confidential only by officials with Top Secret or 
Secret classifications or by officials designated in 
writing. 



In 


order to obtain access to 


classi 


fled 


material , 


the order 


indicates that a person 


mus t 


be 


determined 



trustworthy (granted clearance) and that access is necessary 
in the performance of that persons' duties ("need to fenow"). 
This is a discretionary policy, however, and will be 
discussed no further. All classified material shall be 
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appropriately and conspicuously marlced to put all persons on 
clear notice tnat tne inforrriatlon is classified. Classified 
material no longer needed shall be promptly destroyed. 



Figure 12. Basic National Security Policy. 

2, National Integrity Policy 

The dual of tne National Security Policy is tne 
National Integrity Policy [21j . Motivation for sucn a policy 
comes from tne desire to prohihit subversion, i.e., tne 
unauthorized modification of Information. The following set 
of integrity classes nave been established for tnis policy 



Obse 



Obse 



Ohse 
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[21]. Ifnplicit wltb this classification scheme, one also has 
information that is not classified. 



TOP SECRET : That information or material the 
unauthorized modification of which could 
reasonably be expected to cause exceptionally 
grave damage to the national security. 

SECP.ET : That information or material the 
unauthorized modification of which could 
reasonably be expected to cause serious damage to 
the national security. 

CONFIDENTIAL ; That information or material the 
unauthorized modification of which could 
reasonably be expected to cause damage to the 
national security. 



One further point concerning Integrity Policie 
be emphasized before one proceeds. Generally speaking 
has a good notion of how to classify informatio 
respect to security and unauthorized observation, 
classification with respect to integrity is not so 
identified. In some sense, integrity classification mu 
determined by the object's potential importance rathe 
by its current Importance. Consider, for example, a 
sine function tucJted away in some obscure user libra 
this function is used to compute trajectories f 
inter-continental ballistic missile, it becomes TOP 
with respect to the National Integrity Policy, wnerea 
is clearly UNCLASSIFIED with respect to the Na 
Security Policy. Classification of information with re 



s must 
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n with 
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r than 
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or an 
SECRET 
s , it 
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to integrity will generally require considerable planning 
and foresignt [2J . 

3. Privacy 

Tne Code of Fair Information Practices and tne 
Privacy Act of 1974 establisned tbe following basic policy 
for tbe Federal Government [26J . 



(1) There must be no personal data record-Keeping 
systems wnose very existence is secret. 

(2) There must be a way for an individual to find 
out what information about him is on record and 
how it is used. 

(3) There must be a way for an individual to 
correct or ammend a record of identifiable 
information about him. 

(4) There must be a way for an individual to 
prevent information about him that obtained, for 
one purpose, from being used or made available for 
other purposes without his consent. 

(5) Any organization creating, maintaining, using 
or disseminating records of identifiable personal 
data must guarantee tne reliability of the data 
for their intended use and must taJce precautions 
to prevent misuse. 



Ail information systems (including computer systems) 
used by tne Federal Government are subject to these privacy 
requirements and must incorporate a corresponding set of 
safeguards when the process ’’Privacy Information." 

These three policies are applicable to many Federal 
data processing applications. Numerous other 
non-discreti onary policies exist both in tne Federal, State, 
and Local governments and in private industry. It has been 
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shown in this section that these policies may be precisely 
descibed using access relation grapns or linear access 
graphs as described in this section. Once a policy has been 
so described, a precise evaluation of its enforcement may be 
considered. 
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III. A FORMALIZED NOTION OF DOMAINS 



The notion of a "domain” has not been clearly presented 
in a precise manner, nor properly defined. Dennis [5J 
introduced the concept by describinff a "sphere of 

protection." Lampson [5J refined tne concept, coining the 
term "domain", and defined a domain as a ^roup of 

capabilities or protected names. Scnroeder [Bj maintains 
Lampson"s definition, but provides an in-depth discussion 
and presentation of his ideas, many of wnicn were 
instrumental in the formulation of the concepts presented 
here. Scnroeder further refined tne ideas from nis tnesis, 
and together with Saltzer [ l4j , defines a domain as a set of 
objects that may be accessed by a principal. This definition 
is the most commonly accepted today, but for any rigorous 
discussion of domains, or for presentation of a concept such 
as tne assignment technique, a more formalized definition is 
needed . 

An access domain A, is a tuple, (a^, •••* 

a^ ), where n is the number of primitive ( non-decomposable ) 

access modes in the system and a^ is tne set of all objects, 

{ 0., 0., ...» 0 . , ..., 0 accessible by the "i’ th 

12 j m 

access mode. An (access mode)-domain is the set of objects 
that a process executing in that domain (i.e., a subject) 
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has the risht* or privilege of, accessing according to the 
rules for that particular access mode. 

Consider the following examples of domains: 

A^: ( Observe ( 0 ): {A} , Modlfy(M) : {3} ) 

A^: (0:{A,B,C>, M:{A,E,C> ) 

A 3 : (0:{A,C,D>, ) 

A^: (0:{A,B,C,D>, M:{A,B,C,D> ) 

The observe-domaln of A^ (denoted as OA^ ) Is object A 
and the modlfy-doma In MA^ Is object B. Note that simply 
referring to A^ as containing objects A and E would not 
provide much Insight Into the true nature of this domain 
[14}. 

The notion of "dominance" with respect to domains was 
Introduced by Crohn [16]. These notions are refined from 
security dominance and integrity dominance to a more general 
definition of dominance. 

A domain, dominates ( ) Aj if and only if (iff) 

for each access mode "a", aAj jS. aAj_. This is 

particularly useful wnen discussing tne relationship 
between domains with respect to access modes. One can say 
that for some a^ , a^A^ a^A^ iff a^A^ C. 

Continuing with the previous group of example domains, 

OA4 ^ OA3, OA3 Oa^, 'IA^ MA3, MA^ ^ r^A3 , A^ 



4:7 
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ed for convenience. In tne 
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Schroeder's protection 
bels for dominance domains 



[8J . 



The systems protection mechanisms establish a set of 
dominance domains that can be used for evaluating the 
protection mechanisms. These dominance domains dominate all 
domains that currently exist or may exist within the system. 
If one can establish the set of dominance domains for the 
system and one can snow that tne policy holds for these 
domains, then one can show that the policy holds for all 
domains . 

A mechanism, in the most general sense, is something 
that prevents the occurrence of certain sequences of 
operations [15]. A protection mechanism, or an access 
control mechanism, can be defined as something that prevents 
the unauthorized access of information. In the broadest 
sense, one may include as protection mechanisms such things 
as walls, patrol dogs and cypher locKs. More specifically, 
though, a protection mechanism for a computer operating 
system is a procedure. Implemented in software, firmware (if 
there is such a thing) or hardware, that prohibits tne 
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imm 








access of objects witbin a system sucti tbat the domain of 
any process is dominated by some particular dominance domain 
inherently established by the protection mechanisms. 




The Multics Ring Mechanism [28J is a well known 
protection mechanism that provides an excellent example for 
the discussion of dominance domains. One may think of these 
dominance domains as a set of concentric rings (illustrated 
in figure 13), each numbered in increasing order from tie 
inner-most ring or kernel. The kernel is conventionally 
assigned ring number zero. 
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The 'lultlcs Rine Mechanism determines the authorized 
access of a subject by means of tne current rinp number (r) 
that specifies the dominance domain. Discrimination amone 
objects is by means of a rin^ bractet. The ring bracket is a 
three-tuple (Rl, R2, R3 ) where R1 , R2, and R3 are ring 
numbers and Rl must be numerically less tnan or equal to R2 
which is less than or equal to R3. Access is characterized 
by tne rules Illustrated in tne linear access grapn snown in 
figure 14. 

Execute Call (as a gate) 

1 tRing 0 Rp 

I Write (Modify) | 

Read (Observe) 

Figure 14. Multics Ring Mechanism Linear Access Graph 

Consider now a system that uses tne Multics Ring 
Mechanism and discriminates among four distinct hierarchical 
rings (0 thru 3). One may tnink of tne domains established 
by this system as Aq , A^^ , ^ 3 * Consider tne 

rules of access established in figure 14, waere MAq is me 
objects that may be modified by a process in domain 0. Then 
MAq MA^ MA 2 MA^ • Likewise, OAq <=x. OA^ • 

*=x OA 2 OA^. No such relationship exists for execute or 

call (as a gate). EA^ does not ^2’ ^ 

some object X, in which case X C EA 2 but X fi • 

Likewise CA^ (the Call (as a gate) domain of A^ ) does not 
^ CA 2 as R3 may be zero, for example, in which case, Rl 
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and R2 must be zero, ruling out tne possibility of 
successive dominance call-domains. 

Note that a single object may be a member of several 
dominance domains. Some object X, with rins bractcets (i5,2,3). 



is a member of OAq . 0 A 2 » MAq , Eaq , Sa^ , 



EA2 . and 



CA^. Therefore, X S Aq, a^ , A 2 and A^- This concept 
can be confusing as an object is a distinct entity generally 
represented by a sinele imaee. 

This section has established a formal definition of 
domains suitable for discussion of complex domain- related 
issues. The notion of dominance domains was introduced and 
their relationship to protection mechanisms established. The 
Multics Ring Mechanism provided an example of tne means by 
which one may evaluate tne dominance domains established by 
a protection mechanism. Having formulaized these concepts, 
the relationship between policy and mechanism may now be 
investigated in an organized manner. 
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IV. THE ASSIGNMENT TECHNIQUE 



This section introduces a mathematical irameworK for 
evaluating the relationship between non-discretionary 
security policies and protection mechanisms. An evaluation 
approach, termed ”Tne Assignment Technique”, utilizes the 
entity - relationship model in establishing an assignment 
between the security classes of information established by 
the policy constraints, and dominance domains, established 
by the properties of tne mechanism. Tne assignment technique 
provides a theoretical foundation for assessing the 
sufficiency of an access control mecnanism witn respect to a 
well formed protection policy. 

This section begins with a general discussion of tne 
meaning of "assignment". It then proceeds to Introduce the 
assignment technique in a general form. Tne section 
concludes with a simplification of tne assignment technique 
male possible by tne lattice nature of non-di scret i onary 
security policies. 

A. ASSIGNMENT 

Assignment is the establishment of a relationship 
between two entitles such that the first entity is "assigned 
to" the second entity. Mathematically, tne term assignment 
is not significant. One could easily have said that entity 1 
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Is related to entity 2. Intuitively, nowever, assignment is, 



associated witn tne connotation "to fix autnoritativeiy". 
This precisely describes the manner in which this 
relationship is established. 

Assignment may be denoted by a graph from the first 
entity to the second as follows: 



It is important to recognize that assignment does not 
alter either entity. Assignment is merely the act of 
associating an entity or set of entitles with some other 
entity or set of entities. 

Another way to describe assignment is in terms of tne 
act of forming a tuple (entity 1, entity 2). Additionally, 
one may tnint of assignment as a function (i.e., "is 
asslffned to") where the assignment process establishes a 
mapping between two otherwise disjoint entitles. Regardless 
of the context of discussion or the symbolism used, one may 
simply . tnlnfc of assignment as tne act of associating one 
thing with another. 

B. THE TECHNIQUE 

The essence of the assignment technique is relatively 
simple. First of all, consider the nature of a lattice 
security policy. Such a policy partitions tne objects of a 





is assigned to 
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S 7 Stem into a lattice of equivalence classes labeled by tbe 



access classes as discussed in section II. Eacn equivalence 
class can be thougnt of as an entity that may be subject to 
assignment . 

Then consider a mechanism, which establishes a lattice 
of dominance domains as discussed in section III. Each of 
these domains can also be thought of as an entity that may 
be subject to assienment. 

Since an assignment can be established between any two 
entities, one can maite an assignment between the equivalence 
classes established by a lattice security policy and the 
dominance domains established by some protection mechanism. 
One may tnen validate that (for this assignment) the 
mechanism is sufficient to support this policy. This 
validation is made by examining the set of access relations 
that the mechanism permits, and testing for possible 
violations of the policy. 

Tne assignment technique can be described more 
systematically as follows: 

1) Determine if tne policy is a lattice 
policy. If not, the assignment technique does not 
apply. 



2) Establish the set of equivalence classes, 

{ e]_, 22* •••* 2 ]^ , . . . , 6p j, that are 

associated with each access class. 

3) Determine tne set of dominance domains, 

{ A 2 , ..., A A }, that are 

established by tne systems protection mechanism. 
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4) Malce an assignment from e^^ to . 

5) For tMs assignment, examine tne access 
relations permitted by tne mecnanism, testing for 
possible violations of tne policy. 

6) If no violations can exist, tne mecnanism 
is sufficient for tne policy in question. 

Step 4 of tne assignment metnod allows for considerable 
flexibility in tne manner in wnicn assignments can be made. 
Any possible mapping from equivalence classes to dominance 
domains may be considered. Tnis flexibility, however, 
implies considerable effort in order to determine tnat a 
mechanism is not sufficient for a given policy. Fortunately, 
in tnis thesis one is specifically dealing with tne security 
issue. Because of this, several refinements can be made tnat 
greatly simplify this tast. 

C. SIMPLE ASSIGNMENT 

The question of how one chooses to mate assignments 
(i.e., tne choice of an assignment scneme) may seem 
relatively complex upon first inspection of tne assignment 
technique. Tne problem, nowever, becomes almost trivial when 
dealing witn simple non-discretionary security policies as 
is shown by the following arguments. 

First of all, it is clear that tne equivalence classes 
(established by the policy constraints) represent distinct 
access classes. It is also clear tnat tne dominance domains 
represent distinct sets of objects. If more than one 
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e;iui valence 



class were assigned lo tne 



same dominance 



domain, then tdere is notning in tne mecnanism to 
distinguish between tne access classes. But tne policy does 
draw some distinctions between these access classes (i.e., 
tnat distinction established by tne definition of tne access 
classes), so it would not be possible to enforce tne policy 
with such an assignment. All such assignments can be 
eliminated, a priori. 

On the other hand, if one equivalence class was assigned 
to more than one dominance domain, tnen some distinction is 
being made for an access class that is not specified in tne 
policy. In some cases, one may find that such distinctions 
produce violations of the policy. Although other cases may 
not do so, these extra dominance domains are unnecessary, 
providing distinctions which have no significance. 
Therefore, tne number of dominance domains of interest 
established by the mechanisms should be equal to the number 
of access classes established by the policies. 

One may attempt to argue tnat mere may exist dominance 
domains that do not receive an assignment. Such domains, 
however, must be either empty or in no way allow for an 
exception to the enforcement of the policy. As such, one 
need not be concerned with the question of their existence. 
One need only concentrate on the dominance domains for which 
the assignment was made. 
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Conslderine assignment as a function. 



it Mas been 



establisned tnat tne only assignment scnemes of interest are 
bijective (i.e., a one to one and onto relationsnip between 
the access classes and the dominance domains [22j ) . This 
provides some improvement, but one is still faced with at 
least p! possible assignment schemes to evaluate (where p is 
the number of access classes established by tne policy). 

One may sain considerable improvement, however, by only 
attempting to validate one simple mechanism witn respect to 
one simple policy at a time. Furthermore, the icnowled^e of 
partially ordered sets may be used to malce our assignments 
in a very selective manner. This is done by first requiring 
tnat toe lattice for tne dominance domains of interest tnat 
one considers for assignment, be an isomorphic image of that 
for the equivalence classes. This may not be a necessary 
condition, however, it in no way invalidates the results 
shown (as one would otherwise be dealin? with an isomorphic 
sub-image established by the mechanism), and it is helpful 
in this discussion. 

When considering the isomorphic image of a lattice, the 
problem of assignment is reduced to a question of 
orientation. One may either assign the greatest lower bound 
of tne lattice to tne greatest lower bound of tne image, or 
assign the greatest lower bound of the lattice to the least 
upper bound of tne image. /Lny other assignment would not be 
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acceptable as it would violate tbe orderine oi tbe lattice 
or of tne image. 

So for a system of ”lc” isomorpaic images of the lattice 
established by the policy, one need only consider at most, 
21c assignment schemes. In most practical cases, when tne 
mechanism establishes isomorphic images which are identical 
in their access control properties because of tne uniform 
nature of the mechanism, one need consider only 2 assignment 
schemes . 

The Simple Assignment Theorem : For any simple 
lattice policy and an isomorphic image established 
by some protection mechanism, no more than two 
assignment schemes are necessary to validate the 
sufficiency of tne mechanism to enforce tne 
policy. 

Proof Sketch : Tne proof proceeds by snowing 
that two assignment schemes are reasonable and 
that all others are not. 

l) Maice assignments starting from tne greatest 
lower bound (GLB) of the lattice to the GLB of the 
isomorphic image. Then assign every reachable 
access class (i.e., those of unit distance) to a 
reachable dominance domain in the isomorphic 
image. Next assign all reachable access classes 
from those Just assigned (which are not already 
assigned) to a corresponding reachable dominance 
domain. Proceed in this fashion until all access 
classes nave been assigned. An assignment such as 
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tnat sQown in figure 15 will result, wnere tne L'JE 
is assigned to tne LUB, A is assigned to A', E is 
assigned to B', and so fortn. 

TM s assignment is a valid assignment in that 
an assignment can be made from tne access classes 
to tne dominance domains tnat is not inherently 
incorrect and therefore is worthy of 
consideration. Tnis does not mean tnat tne 
protection mechanism is sufficient for this 
assignment. It only implies tnat sucn an 
assignment scheme is worthy of consideration. 



ACCESS CLASSES DOMINANCE DOMAINS 




2) Now consider a second practical assignment. 
This assignment starts from tne 5LE of tne lattice 
matting an assignment to tne LDE of tne isomorphic 
image and proceeding as in the first assignment 
scheme. The resulting assignment is illustrated in 
figure 16 wnere tne LUB is assigned to tne CLP, A 
is assigned to D', D is assigned to A', and so 
fo rtn . 
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ACCESS CLASSES 



DOMINANCE DOMAINS 




It is important to note tnat if tne lattice 
structure is not uniform, i.e., inverting tne 
lattice rfouid not proauce tne same ima^e, tnen 
only one of ttie two aforementioned assignment 
scnemes will ce successful. Tnis limitation occurs 
because one encounters some set of reacbable 
access classes luring assignment tnat nave no 
CO rrespondins reacnable dominance domains. 
However, for any lattice structure, uniform or 
otherwise, tnere will always be one assignment 
scneme to an isomorpnic image tnat is wortny of 
consideration. Tnis leads us to tne following 
corollary. 



Corollary 1 . For any lattice policy ana 
an isomorphic image established by some 
protection mechanism, tnere exists at 
least one valid assignment scneme. 

Proof SKetch (Corollary 1) : The proof 
is trivial from tne definition of an 
isomorphic image. If a lattice has an 
isomorphic image, then at least one 
ordering of nodes in tne image is 
identical to the ordering of nodes in 



/ 
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tne lattice, tnerefore, tnis one ring is 
wortny of consideration. 

3) Now consider tne assignment of tne GL£ 
access class to any dominance domain otner tnan 
tne L(JB or tne GLB. If tnis is done, then some 
otner access class must be assigned to tne LUB 
dominance domain and still another access class 
must be assigned to tne GLB dominance domain. But 
if the isomorphic image is to maintain the 
ordering of tne access classes, then tnere exists 
some ordering which is not valid because either 

tne GLB or tne LCJB of tne isomorphic image is to 

be considered less tnan tne GLB (in tne image) 

wnicn must be tne least element (viz., least 

sensitive) according to the policy. Therefore, 
such an assignment can never be valid. Tnus one is 
reduced to tne tas^ of considering only two 
possible assignment schemes of interest. 

One can further simplify the assignment technique by 
combining steps 4 and b. This is accomplished by maKing. an 
assignment and examining all access relations producible 
immediantly. If an access relation is not valid, one can 
quickly determine that tne assignment scheme in use will not 
validate the sufficiency of the mechanism. 

When one is dealing with more complex lattice 
structures, one is faced with two alternatives. One can 
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eitner vaiilate tne sufficiency of tne mecnenism for eacn 
sub-policy, establisning tnat if eacn sub-policy is 
enforced, then the complex policy is enforced, or one may 
Choose to validate the complex policy by a straight forward 
assignment. rfhen using a straight forward assignment 
approach, one must remember that tne Simple Assignment 
Theorem may not apply. This is of no particular consequence 
when validating a protection mecnanism designed for a 
particular policy where tne assignments are chosen 
carefully. However, establishing the insufficiency of an 
arbitrary mecnanism may require considerably more effort. 

The basic principles associated with the assignment 
technique nave been presented in this section. One may now 
consider some simple examples that illustrate tne usefulness 
of assignment. 
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V. 'MECHANISM SUFFICIENCY VALIDATION BY ASSIGNMENT 



One of the most practical uses for the assignment 
technique is sufficiency validation of protection mecnanisms 
(i.e., validation of their ability to enforce security 
policies) [4j . In contrast to other validation techniques 
the assignment technique presents a method wnose 
mathematical model (i.e., the entity-relationship model) is 
based upon the nature of security itself, rather than other 
methods which adapt the nature of security into a form 
designed to mesh with the prescribed formal of some well 
Known mathematical model. This section discusses mechanism 
sufficiency validation by assignment for several well Known 
linear non-discrelionary security policies. Although the 
principles discussed in this section apply for all lattice 
security policies, only linear lattice policies are 
discussed in this section as they provide a sufficient 
foundation for the discussion of any lattice policy and are 
more clearly illustrated in this context. 



A. MULTICS RING MECHANISM ASSIGNMENTS 

The question of the sufficiency of tne Multics Ring 
Mechanism for enforcement of the basic National Security 
policy was tne initial problem that prompted the current 
research effort and led to the formulation of tne assignment 
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technique. It is appropriate then, that this analysis be 
presented as an introductory application of simple 
assignment. 

1. Compromise Policy 

As stated previously in section II, the basic 
National Security policy is a simple lattice security 
policy. Figure 13 illustrates this policy. 

The dominance domains of the Multlcs Ring Mechanism 
are most frequently shown as concentric rings numbered in 
increasing integer order from the innermost ring or the 
tcernel. The security kernel is generally assigned ring 
number 0. For simplicity, only a system with rings 0 thru 3 
is shown in this analysis. Assignment to other ring numbers 
(such as 2 thru 5 or 4 thru 7) will produce similar results 
because of the uniform nature of the Multlcs Ring Mechanism. 

Consider as the first assignment scheme, the 
assignment of tne TOP SECRET access class (the least upper 
bound of the policy) to ring 0 (the least upper bound of tae 
dominance domains). The assignment produced is illustrated 
in figure 17, 

Next, according the assignment technique, one must 
examine the access relations permitted by the mechanism and 
test for possible violations of the policy. In order to do 
so, one must first examine the nature of the Multics Ring 
Mechanism more closely. 1 detailed discussion is given by 
Schroeder C27j , however, a simple explanation of the 
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pertinent details as used in this discussion is provided for 
those readers not otherwise familiar with Multics. 





Ring 1 



Ring 2 



Rin^ 3 



Figure 17. Basic National Security Assignment 1. 



The Multics Ring Mechanism determines the authorized 
access of a process by means of the current ring number (r). 
Thus a process which is executing in ring number 1 would 
need to be cleared for at least SECRET information according 
to this assignment scheme. 

The Multics Ring Mechanism discriminates among 
objects by means of a rin^ bracket. The ring bractet is a 
three-tuple ( Rl, R2 , R3) where Rl, R2 and R3 are ring 
numbers and Rl R2 ^R3. Access to objects is restricted 
such that the current ring of execution must be less than or 
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equal to R2 to observe information and less tnan or equal to 
R1 to modif 7 information. Figure IS snows cnaracteristics of 
tfte rinff bracttets both in terms of the access modes used in 
this discussion and tne access modes used in Muitics. 



Execute (Observe) 

(Ring 0 [RIj ^ 

Write (Modify) 

Read (Observe ) 

Figure 18. Multics Ring Mechanism. 



Continuing now with the examination of access 
relations, consider an object that is classified as SECRET. 
Such an object must be assigned a ring bracicet sucn that it 
may be observed by processes in ring 0 and ring 1 only. R2 
must therefore be 1. This presents a problem. No matter what 
value one may choose for Rl , a contradiction occurs. If R1 
is 0 or 1 tnen TOP SECRET processes may modify SECRET files 
violating the Confinement Property. If Rl is greater than 1, 
the restrictions of tne ring mechanism would be violated 
(viz., Rl > R2). Therefore, one can conclude that this 
assignment is not acceptable. 

Consider now tne only other potential assignment 
scheme where the greatest lower bound of the lattice (the 
UNCLASSIFIED access class) is assigned to ring 0. Tnis 
assignment is illustrated in figure 19. 

One may now attempt to assign ring brackets to an 
Object classified SECRET. A problem occurs immediately. One 
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wants processes executing in ring 2 to observe SECRET 
obJectSf but tnen a process in rins 0 (i.e., an UNCLASSIFIED 
process), will also be able to observe tne object, Tne 
Simple Security Condition cannot be enforced witn tnis 
assignment, so tne assignment scneme is not feasible. 




is assigned to 



is assiened to 



is assigned to 



Ring 3 



Ring 2 



Rias 1 




is assigned to 
Figure 19. Basic National Security Assignment 2. 



Since neither of these assignments are acceptable, 
and shifting tne ring assignments numerically would yield 
similar results, one can see that no assignment will be 
acceptable. Therefore, the Multics Ring Mechanism is not 
sufficient to enforce tne basic National Security policy for 
compromise. 
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2. Subversion Policy 



The basic National Integrity policy [lilj is tne dual 
of the basic National Security policy. Wnereas tne security 
policy is concerned with the unauthorized . observation of 
information or compromise, tne integrity policy is concerned 
with the unauthorized modification of information or 
subversion as discussed in section II. 

Consider first the assignment of the TOP SJCCRiCT 
access class (the least upper bound for the lattice 
established by the policy) to Ring 0 (the least upper bound 
for the dominance domains established by the mechanism). The 
assignment produced is shown in figure 20. 




is assigned to 




is assigned to 



Ring 1 



is assigned to 



Ring 2 



is assigned to 



Ring 3 



Figure 20. Basic National Integrity Assignment 1. 
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One nay now examine tne access reiaiions wnicn tne 
Multics Rins; Mecnanism will permit (as snown in figure IS) 
and test for possible violations of tne policy. In so doing, 
one encounters violations almost itnmediently . One wlstes to 
nave a process executing in Ring 1 (i.e., a SECRET process), 
for example, to be able to observe TOP SECRET objects in 
Ring 0, but tne mecnanism pronlblts tnis observation. 
Additionally, a SECRET process could observe CONFIDENTIAL 
information violating tne Integrity Confinement Property. 
Tnerefore, this assignment scheme is not feasible. 




Ring 3 



Ring H 



Ring 1 




Figure 21. Basic National Integrity Assignment 2. 



scheme 



Consider now the only other potential assignment 
(viz., according to tne Simple Assignment Theorem) 
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vnere tne TOP SECRET equivalence class is assigned to Rin^ 
3. This assignment scneme is iliustrated in figure 21. 

Examining tnis assignment, consider an object tnat 
is classified as SECRET. Sucn an object must be assigned a 
ring bracKet sucn tnat it may be observed by processes in 
Ring 0, Ring 1 and Ring 2 only, so R2 must be assigned 2. 
Rut if R2 is 2, one is faced witn a contradiction in tne 
assignment of Rl. If R1 is assigned 0, 1 or 2, then a 
violation of tne Simple Integrity Condition occurs because 
DNCLASSIEISD subjects may tnen modify SECRET objects. If Rl 
is assigned 3, tne Ring Bractet constraints are violated. 
Therefore, tnis assignment scheme fails to provide an 
assignment where the protection mechanism can enforce this 
policy. 



According to the Simple Assignment Theorem, there 
are no other assignments wortny of consideration. Therefore, 
the Multics Ring Mechanism is not sufficient tc enforce tnis 
policy either. 

So far, it nas been snown tnat tne Multics Ring 
Mechanism is not sufficient to enforce tne basic National 
Security policy nor the basic National Integrity policy. 
However, a Multics Security Kernel has been designed [28,29J 
that is sufficient to support both of these policies. This 
may seem to be a contradiction but it is not. Tne confusion 
is dissipated when one aslcs the question, "Wnat form of 
policy does tne Multics Ring Mechanism support?" 
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3. Program Integrity Policy 



The 

introduced i 
integrity po 



Fi 

Acco 

into one o 
Supervisor, 
access class 
Utility > Us 
made as show 
Reca 

in figure 
integrity ac 
note that f 
equal to R1 

3. 

Acco 

examine the 
test for pos 
examples, w 
to support t 



general form of Program Integrity policies was 
n section II. Consider now the specific program 
licy shown in figure 22 , 



Max 



^!od if y 



Execute 

jpij Min' 



Read 

gure 22. A Program Integrity Policy, 
rding to this policy, entities are partitioned 
f four access classes designated as User, 
Utility or kernel. The sensitivity of these 
es is specified as : Kernel > Supervisor > 

er. An assignment to a Multics ring structure is 
n in figure 23. 

lling the characteristics of ring bracKets shown 
IB, ”fiax” is designated as Ring 0, the program 
cess class (PI) as Rl and "Min" as R2. One may 
or this policy any choice for R2 greater than or 
will do. This analysis, however, nas fixed R2 at 



rding to tne assignment tecnnique, one must now 
access relations permitted by the mecnanism and 
sible violations of tne policy. Unlite previous 
here the mechanism was obviously not sufficient 
he policy (i.e., only a single counter-example 
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was necessary) tnis example examines a policy tnat is li!ceiy 
to Be supported by tne Muitics Ring Mecnanism. Knowing tnis, 
it seems appropriate to present a more careful approacn for 
tne validation of tnis assignment. 



C Kernel ) — ■ 

-r4r^ 



Modify} 



Modify) 



Modify) 




s assigned to 



{Execute 

Read 



is assigned to 



(Execute 

{Read 



is assigned to 



(Execute 
♦-KRead 



is assigned to 





Ring 2 




Ring 3 



Figure 23. Program Integrity Assignment 1. 

For simplicity, one may refer to (tne first 

equivalence class) as Kernel (i.e., tne access class tnat 
labels tnis equivalence class of subjects and objects), e^ 
as Supervisor, as Utility and e^ as User. One may also 
refer to (tne first dominance domain estabiisned by tne 

Muitics Ring Mecnanism) as Ring 0, as Ring 1, ^2 

Ring 2 and A^ as Ring 3. Tne assignment scneme consists of 
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assigning to Aq (Kernel to Ring 0), e^ to a^ (Supervisor 
to Rinff 1 ), 62 to A2 (Utility to Rins 2), to A3 (User 
to Ring 3 ). One can now evaluate t&e access relations 

permitted by tne Multics Rin^ Mecnanism and compare them 
with tne policy. 

Examinins tne read access first, one notes that the 
Multics Ring Mecnanism provides no discrimination for read 
access since R 2 is fixed at 3 for all objects. Thus subjects 
in Aq, A^, ^3 objects in Aq , A^_ , 

and A^* This corresponds with the access riehts of the 
policy which states that subjects in e^ , e^ , e^ or e^ may 
read objects in e^ , e^ , e^ and e^ • Therefore, the mechanism 
is sufficient with respect to tne read access relations. 

Next, examining the modify access relations one may 
observe that MAq MA^ MA2 MA3 . Thus a subject 

in Aq may modify objects in Aq , A^ , or a^* This 

corresponds to tne access rights of tne Kernel access class 
in that a subject in e^ may modify objects in e^ , e^ , e^ and 
e^ . Examining A^ , one observes that a subject in a^ may 
modify objects in a, » A^ or a^ ^tit not in a^ • This 
corresponds with tne access rights of tne Supervisor access 
class in that a subject in e^ may modify objects in e^ , e^ 
and e^ but not in e^ . Examining A^ , one observes that a 

subject in A2 may modify objects in or A^ but not in 

Aq or A^ . This corresponds with the access rights of 
the Utility access class in that a subject in e2 may modify 
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objects in e„ or e but not in e or e . Finally, 
2 3 0 1 

eia^iining A , one observes mat a subject in ^ may only 

3 

modify objects in This corresponds with the access 

rights of the User access class in that a subject in e ^ 
may only modify objects in e^* Therefore, the Multics 
Ring Mechanism is sufficient to support this policy with 
respect to modify access relations. 

Next, examining the execute access relations one may 
observe that ^ 1^2 ^ ^^1 just 

the inverse of the modify access relations. Thus a subject 

in A^ may execute objects in Aq, A^, ^2 ^3* This 

corresponds to me access rights of the User access class in 

that a subject in e^ may execute objects in e^, e^, 62 and 

e3. Examining ^ 2 * observes that a subject in may 
execute objects in A^, A^ or ^2 ^3* This 

corresponds with the access rights of the Utility access 
class in that a subject in e2 may execute objects in e^ , e^ 
and 82 but not in e3. Examining A^ , one observes that a 
subject in A^ may execute objects in Aq or A^ but not 



in A, 



or 



A3, This corresponds with the access rights 



of the Supervisor access class in mat a subject in e^ may 
execute objects in or e^ but not in e2 or 63. 

Finally, examining A^ , one observes that a subject in Aq 

may only execute objects in Aq , This corresponds with the 
access rights of the Kernel access class in that a subject 
in eQ may only execute objects in e^ . Therefore, the 
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Multlcs Rins Mecnanism is sufficient to support tnis policy 
witn respect to execute access relations. 

So one may observe tnat for eacn of tne access modes 
(read, modify and execute), tne Multics Rin^ Mecnanism is 
sufficient to enforce tne policy. Tnerefore, for tnis 
assignment, no violations are possible, tnus proving that 
tne Multics Rins Mecnanism is sufficient to support tnis 
Proffram Inteffrity policy. 

B. OTHER RINS MECHANISMS 

Tbe Multics Ring Mecnanism is by no means tne only form 
of Rine Mecnanism. By altering tne requirements of tne Ring 
Braclcets and me need for a Gate Keeper, one can contemplate 
adapting the ring mechanisms to meet other simple 

hierarchical policies. 

Consider using the assignment shovn in figure 17, but 
altering tne means of discrimination among objects such tnat 
the Ring Bractet is a singleton (Rl). Following the rules 
Shown in figure 24, one can adapt this ring mechanism to 
enforce the basic National Security policy. 

Modify 

I KERNEL iU] MAX* 

Observe 

Figure 24. Security Rings. 
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Si.Tiilary, figure 25 snows trie rules necessary for tne 
same assignment as snown in figure 20 to adapt tnis ring 
mechanism to meet tne basic National Integrity policy. 

Observe 

tKSRNEL [rI] MaP 

Modify 

Figure 25. Integrity Rings. 

To be sure, tnese brief suggestions do not completely 
cnaracterize a practical protection mechanism. However, it 
appears tnat ring mechanisms are adaptable for tne 
enforcement of various simple nierarcnical policies. 

C. CAPABILITT MECHANISMS 

Considerable effort is currently underway to provide 
"Provably Secure Operating System" based upon tne capability 
mechanism [30,31]. It is important to examine wnat form of 
protection capabilities actually provide. 

Capability mechanisms primarily establish two dominance 
domains tnat are enforced by tnis system hardware mechanism. 
One domain consists of capabilities, and the other is 
objects mat are not capabilities sucn as segments and 
directories. A process talces no note of these dominance 
domains, however, because all processes have access to 
capabilities as well as other types of objects. So with 
respect to a process, the capability mechanism provides no 
inherent partitioning of the system entities at all. In 
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fact, in trying to determine tne structure of dominance 
domains for non-capability objects, one encounters a 
veritable "spaghetti bowl" of domains, devoid of any 
inherent, unifying structure. Thus a capability mechanism is 
of itself not sufficient for the enforcement of any 
non-di sere ti ona ry security policy. Enforcement of 
non-discreti onary security policies (i.e., those of primary 
interest to National Defense) must be accomplished by some 
otner add-on mechanism. 

This is not to say that a capability mechanism is not 
useful. For example, the mechanism can protect a security 
Kernel in much tne same way as rings protect tne Kernel in 
the Multics design. 

The usefulness of the assignmeht technique in validating 
the suitability of a protection mechanism to enforce a 
security policy has been examined in this section. The 
validity of the assignment technique has been estabisned. 
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VI. CONCLUSION 



This research has explored the foundations of 
non-discrsti onary securityt discoverina an effective 
methodology for assessing the sufficiency of a protection 
mechanism to enforce a non-discreti onary security policy. By 
formalizing the notion of a domain [6,7j , and using a formal 
notion of hon-discretionary security [3], the inseparable 
nature of protection mechanisms and security policies has 
been established. This section considers some future 
directions for research and summarizes tne principle 
findings of the author. 

A. FUTURE DIRECTIONS 

Although this author's investigation has provided seme 
structure to the complex nature of security, considerable 
research is still needed. The relationship oetveen 
protection mechanisms and other operatine systems mechanisms 
is not clear. Such issues as serial! za bill ty , 
synchronization and distributed processing may add new 
dimensions to tne meaning of protection. Fundamental 
limitations regarding implementation details remain unknown. 

Additionally, one can consider tne formalization of 
policy specifications in general. Can the enforcement of any 
policies other than lattice policies be evaluated? Can all 
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enforceable policies be represenied in some common form sucn 
as a lattice? 

One of tne most difficult problems in actually enforcing 
any security policy is tne maintenance of unique 
non-forgeable attributes [oj associated witn tne subjects 
and objects. A mechanism for maintaining the uniqueness of 
these attributes may be called an "isolation mecnanlsm" 
because it isolates those subjects that may access these 
attributes from those that may not. This does not prevent 
sharing of objects but simply provides a means of isolating 
these attributes from general unprotected usage. Both tne 
capability mechanism [30,3lJ and the notion of a ffate 
{mechanism) [B,28J appear to be isolation mechanisms. A 
comprehensive study of this problem is beyond the scope of 
this discussion. However, a few observations concerning 
isolation noted during this research are provided. 

The fundamental principles upon wnicn an Isolation 
mechanism must rely is the notion of a segment (i.e., an 
atomic unit of information storage for wnicn tne access 
class is identified) and the tranquillity principle (i.e., 
the notion tnat tne access class for a subject or an object 
does not change during the course of computations) [iVj . If 
these two principles are not enforced, it is not clear now 
one may evaluate the enforcement of any non-discretionary 
security policy. 
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Tne tranquillity principle does not strictly apply to 
processes. In Multics, for example, processes nad several 
domains of execution. However, since a suDject is defined as 
a process-domain pair, one mignt at first suspect tnat a 
process executing in multiple domains does not present a 
security problem. Tnis is not always tne case, particularly 
when dealing with policies that attempt to limit the 
information flow [13j . 

When attempting to enforce the National Security Policy 
in a multi-user, multi-process environment, wnere a process 
executes in a sequential fashion (i.e., the process is 
serializable) one can do no better tnan to allow a process 
to proceed to its ’’high water mars" and then terminate at 
that level. Any attempt to revert to a less sensitive access 
class will result in a potential compromise. For example, 
consider the compromise technique shown in figure 26. 

In this example, a malicious agent utilizes the feature 
of Sequential processes and the basic ?V synchronization 
mechanism [33J to take tne "info" in Dominance Domain 2 and 
copy it into Dominance Domain 1. In order to do so, the 
agent calls procedures placed in the "High" domain by 
subversion [3], relyine only upon one process (i.e., PROCESS 
0 or PROCESS 1) to return, thus providing the information in 
binary form to tne "Low” domain. Thus by serialization and 
process synchronization alone, tne isolation of the 
dominance domains has been compromised. 
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Dominance . 
Domain 1 ( Low ) 



Dominance 
Domain 2 ( Hi?n ) 



Initial State : 

lU. ... 



Copy 



I nf 0 



101 



H7 



Gotl t 



0 



Pointer 00001 



Execution : 

PROCESS S ("Syncnronizer" ) 
Ll: pTTK 

Gotit := i; 

Pointer := Pointer + 1» 

P(2); 

Go tit : — 0 * 

v(3); 

v(4); 

GO TO Li; 

PROCESS 0 ("Get a Zero") 

L2: CALL ZeroProc 

IF Gotit = 0, THEN 

Copy(Pointer ) := 0; 

V(l); 

V(2); 

p(3); 

GO TO L2; 

PROCESS 1 ("Get a One”) 

L3: CALL OneProc 
IF Gotit = 0, 

THEN Copy(Pointer) := i; 

V ( 1 ) ; 

V(2); 

P(4:); 

GO TO L3; 



ZeroProc 

IF Info (Pointer ) = 0, 
THEN return; 

Si: IF Gotit = 0, 

THEN GO TO SIJ 
RETURN. 



OneProc 

IF Inf 0 (Pointer ) = 1, 
THEN return; 

S2; IF Gotit = 0, 

THEN GO TO S2; 
RETURN. 



Final State: 



Copy 



101 






Info 



101 



ZZ? 



Figure 26. Serialization Problem. 
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Note mat were tne processes to act independently in 
eacn dominance domain (i.e., processes are serializable only 
witn respect to a given dominance domain or syncnroni zation 
between two processes is not possible) tnls compromise could 
not occur. In general, tnis example snows tnat 
synchronization of processes, serialization of processes and 
secure computations are fundamentally related in some 
fashion. The exact nature of this relationship is not clear. 
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I m 










Protection mecnanisms innerently "mirror" tne policies 
tnat tney enforce. Non-liscretionary Security policies form 
a lattice of access classes tnat may be mapped to an 
isomorphic image of dominance domains, innerently 
established by the protection mechanism. Since this nas been 
shown, one need not illustrate separate lattices for both 
policy and mechanism. One unified description for both tne 
lattice policy and its image established by the protection 
mechanism Is sufficient for general systems design 
considerations . 

One may also consider approaching the assignment 
technique from the mechanism point of view. The question 
then becomes, "Given some general Protection Mechanism, wnat 
form of policies will it support?" An absolute answer to 
this question is, in general, not available. However, one 
can mafce an evaluation for those policies that are of 
current interest. Thus, tne assignment technique gives one a 
forum in which to consider the usefulness of protection 
mechanisms for specific policies of interest. 

"Uniform protection mecnanisms,” i.e., those mechanisms 
forming lattice structures of dominance domains where tne 
access relations between any two antisymmetric dominance 
domains are identical, may be represented by linear access 
graphs in the same manner as a policy. Wnen the linear 
access graph for the policy is similar to the linear access 
graph for tne mechanism, one can see that for a carefully 
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cnosen assienjnent scfieme, tne protection mecnanisn will 
enforce tne security policy. 

One nay consider tne development cf a taxonomy of 
uniform protection mecnanisms cased upon tne nature of tne 
access control tnat eacn enforces. Sucn a taxonomy is oeyond 
the scope of this discussion, nowever, the linear access 
grapns illustrated tnrougnout tnis text may ce nelpful in 
Initiating sucn an effort. 

Tne protection provided cy tne Multics Ring Mecnanism 
appears to be precisely tne issue tnat Wuif, Jones and tne 
otner designers of tne "HYDRa" system were attempting to 
understand [IBJ. They introduce their discussion by first 
saying : 



"Protection is, in our view, a mecnanism." [18j 

Tneir discussion tnen proceeds to maite tne following 
general statement relative to tne Multics rings: 



"Our rejection of nierarcnical system 
structures and especially ones wnich employ a 
single nierarcnical relation for ail aspects of 
system interaction, is also, in part, a 
consequence of tne distinction between protection 
and security. A failure to distinguisn tnese 
issues coupled witn a strict nierarcnical 
structure leads inevitably to a succession of 
increasingly privileged system^^ components, and 
ultimately to a "most privileged" one, wnicn gain 
tneir privilege exclusively by virtue of tneir 
position in tne nierarcny. Sucn structures are 
innerently wrong ..." [iBj 
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Had 



tne assignment tecnnique been available to tbe 
autnors of tne above statement, tney would nave been 
afforded a means of expressing tneir views more precisely 
tnan tne ambiguous pnrase ” innerently wrong ”. Tne assignment 
tecnnique provides a precise means for clearly formulating 
sucn an observation and evaluating its validity. As snown in 
section V, and in agreement with Wulfs' statement, tne 
Multics Ring Mecnanism is " innerentiy wrong ” witn respect to 
compromise policies. On tne otner band, tne Multics Ring 
Mecnanism is ” , 1 ust rignt ” as a means of enforcing a program 
integrity policy or assisting in tne enforcement of tne 
systems nierarchical as well as non-nierarcnical security 
policies (vl2., via Security Kernels). 

Additionally, in tne same report [IS] tne autnors mace 
tne following observation witn respect to tneir overall 
design methodology : 

’’Among tne major causes of our inability to 
experiment with, and adapt, existing operating 
systems is their failure to properly separate 
mechanisms from policy.” [ 18 ] 

The assignment tecnnique has snown, however, that 
lattice security policies and protection mecnanisms tnat 
enforce these policies are inextricablely related. 
Recognizing this inseparability should provide considerable 
insight into current efforts in this area. 
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Overall, assignment researcn nas provided a matnematlcai 
methodology for unifying the discussion of security related 
Issues. One may now properly refer to an access mode as a 
realization of an access right, a dominance domain as a 
realization of an access class and a protection mechanism as 
a realization of a security policy. 
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